Hardening and Customizations

BrickStor SP Admin Accounts

BrickStor SP provides a default Administrator Account configured at installation. This account is configured with the necessary privileges so that most BrickStor SP administrative tasks can be performed by that user. However, certain tasks such as reboot require full root privileges. (ex. sudo reboot)

Configure Active Directory login for BrickStor SP Manager and Hub

Manage admin accounts to be configured to use Active Directory for authentication and authorization.

These instructions assume the BrickStor SP is joined to the domain. For more information, see BrickStor SP User Guide.

  1. Obtain a DN or distinguishedName of a domain group used to allow BrickStor SP management access.

    1. Powershell example: Get-ADGroup -Identity "[groupName]" | Select-Object DistinguishedName

  2. Edit the AdminGroups property in the /etc/racktop/bsrapid/bsrapid.conf file, adding the distinguishedName value from step #1 enclosed in quotes. Multiple values can be added separated by a comma. See example below:

    Example 1. Adding Admins group
    AdminGroups = ["bsradmins", "CN=Admins,OU=Groups,OU=MGT,DC=racktoplabs,DC=com"]

  3. Restart the services hubd and bsrapid

    1. svcadm restart bsrapid hubd

Password Restrictions

To better fit a company’s password security regulations, BrickStor SP admins can configure the strength and expiration of passwords. Additionally, BrickStor SP prevents users from reusing the same password.

Password restrictions are managed in the /etc/default/passwd file by providing the following options:

  1. PASSLENGTH= [characters]

    1. The minimum number of characters that a password must contain

  2. MINDIFF= [characters]

    1. Minimum number of characters in the new password that are distinct from the old password

Example 2. Configure password to require 8 or more characters and be at least 4 characters different from the previous password
PASSLENGTH=8
MINDIFF=4

Networking

The networking section will provide any security best practices related to the network configuration.

Configure Management Interface

By default, BrickStor SP management services are available on all system’s IP addresses. It is a good security practice to isolate management services from the data network(s) using VLANs or designated network port.

To configure management services to listen on a specific IP address:

These instructions assume the management IP address is configured and functioning correctly. For more information, see BrickStor SP User Guide.

  1. Using BrickStor SP CLI, edit the ListenAddress and ListenAddressPub properties in the /etc/racktop/bsrapid/bsrapid.conf file. See example below:

    Example 3. Configure the bsrapid listen address
    ListenAddress = "192.168.1.2:8443"
ListenAddressPub = "192.168.1.2:443"

  2. Edit the ListenAddress property in the /etc/racktop/hubd/hubd.conf file located under [Web] and [Connect] sections. See example below:

    Example 4. Configure the hubd listen address
    [Web]
  ListenAddress = "192.168.1.2"
  ...
[Connect]
  ListenAddress = "192.168.1.2"

  3. Restart the services hubd and bsrapid

    • svcadm restart hubd bsrapid

Log Forwarding

System Log

RFC-5424 compliant system logs can be forwarded to a log repository. Edit the following document with the proper end point:

vi /etc/rsyslog.d/remote.conf

Example UDP Configuration

*.* @192.168.1.123:514

Example TCP Configuration

*.* @@192.168.1.123:514

Then restart the system-log service:

svcadm restart system-log

User Behavior Activity Log

User Behavior activity can be forwarded to a SIEM or log centralization for off system processing and analysis. To configure User Behavior Activity to forward to another host, edit the following configuration file:

/etc/racktop/ubcollectd/ubcollectd.conf:

[Syslog]
Protocol = "udp"
Server = "<IP Address>:514"
CertFile = ""
Facility = "local0"
Enabled = true

File Protocols

To restrict access to shares from other than dedicated network interfaces, configure host-based access control.

SMB

BrickStor SP supports up to version SMB 3.0.2 and admins can enable, disable and require signing and protocol encryption. Signing can slow down client connections because it requires more communication between the client and server; however, newer SMB clients are faster because they have reduced the amount of communication responses.

The storage admin can also set a minimum protocol and a max protocol. The admin should set a minimum protocol of version 2.1 from the command line, using the following command:

sharectl set -p min_protocol=2.1 smb

Enable SMB signing and encryption by running the following commands:

sharectl set -p encrypt=enabled smb

sharectl set -p signing_enabled=true smb

By requiring SMB signing and encryption, BrickStor SP will refuse unsigned connections or clients that can not encrypt the protocol.

Require SMB signing and encryption by running the following commands:

sharectl set -p encrypt=required smb

sharectl set -p signing_required=true smb

NFS

Context Security Labels

From the myRack Manager user interface, admins can enable context security labels on version NFS 4.2 to enable Mandatory Access Control (MAC). This can be configured on a per share basis or set globally from the command line to enforce it across all NFS shares. If using the system in an MLS environment, the minimum NFS server version should be set to version 4.2.

Minimum NFS Server Protocol

Admins can configure the minimum protocol to version 3, 4, 4.1, or 4.2 for BrickStor SP as an NFS server. From the command line, run the following command:

sharectl set -p server_versmin=<num> NFS

Example to set it to minimum version 4.1:

sharectl set -p server_versmin=4.1 NFS

Key Manager

BrickStor SP’s Key Manager can store the keys for Self-Encrypting Drives (SEDs) and dataset/volume encryption or be configured to an external key manager over KMIP. This must be configured before the use of SEDs or dataset encryption.

Data Encryption

BrickStor SP supports two levels of FIPS encryption by using Self Encrypting Drives and dataset/volume level encryption. Self-Encrypting Drives must be enrolled into the system. Admins can use the BrickStor SP Manager’s Rack View.

  1. Click on any drive in Rack View

  2. Select the more option

  3. Click enroll

  4. (Optional) Select All Pools & Drives.

Once the drives are enrolled, they will be displayed with a shield in the hardware view.

The shield indicates the drive is enrolled and the FIPS ownership process has been completed. Now the system will manage the drive encryption keys.

Media Sanitization

Drives can be crypto erased in compliance with NIST purge standards through the command line using sedadm or through the UI and selecting the drive(s) to be erased.

The sedadm command needs to be ran using full path as it’s not globally recognized.

Data Replication

Data can be replicated to another pool or system on a per dataset basis. Data in flight is protected with TLS encryption. Datasets and volumes that are encrypted on the source will also be encrypted on the destination. These datasets are not mounted or decrypted on the destination during normal operations. To recover a file or snapshot on the destination, the decryption keys for encrypted datasets and volumes must be imported on the destination system. Replication supports automatically forwarding keys and is configurable on a per dataset basis.

Telemetry Information

BrickStor SP includes features for sending telemetry data automatically to the myRackTop cloud for improved support. This information stream can be disabled with the following steps:

Edit the file /etc/racktop/myrackd/myrackd.conf and change the line below:

DisableMyrack = true

Then restart the myrackd service:

svcadm restart myrackd

Online Update Support

BrickStor SP checks for online updates daily for Internet connected systems. To disable this, perform the following steps:

Edit the file /etc/bsrupdated/bsrupdated.conf and change the line below:

DisableUpdateServer = true

Then restart the bsrupdated service:

svcadm restart bsrupdated

Timing

It is important to have consistent time across all systems for security and event logs. BrickStor SP should be connected to an NTP time source. By default, the system will look to Active Directory as the time source after a domain join. However, NTP can be configured to point to any compatible time source. The system will use the time source and time zone selected for all log Information. However, the GUI will adjust the times to the local time zone set on the desktop that launched the GUI.

Active Directory/LDAP

BrickStor SP can be joined to Active Directory and LDAP servers to support users and group permissions.

User Behavior Auditing

User Behavior Auditing can be enabled on a per dataset basis. The log provides the identity, source IP address, file path, file protocol, and operation. It also can provide permission changes.

Open Network Port Requirements

By default, the following ports are open to allow BrickStor SP to take advantage of various features and functionality. The following table lists these ports.

Table 1. BrickStor SP Open Network Port Requirements
Ports Description/Service Protocol Direction This port is open to/Purpose

22

SSH

TCP

bidirectional

Receive Management and Replication data

22, 8444, 8544

TCP Replication

TCP

outbound

Send Replication

25, 587

mail

TCP

outbound

send notification emails

53

DNS

UDP

bidirectional

Domain name Service

88

Kerberos

UDP

outbound

Authentication

111

NFS/rpc

TCP/UDP

bidirectional

NFS client access

123

NTP

UDP

bidirectional

Time synchronization

139, 445

SMB

TCP/UDP

inbound

SMB/CIFS client access

161

SNMP

UDP

bidirectional

Monitoring with SNMP

162

SNMP traps

UDP

outbound

Sending alerts to SNMP stations

389, 636

LDAP

TCP/UDP

outbound

Access to directory service servers

443

HTTPS

TCP

outbound

Call Home for Software Updates (https://myracktop.com)

443

HTTPS

TCP

inbound

RMM/iLO Out of Band Management

443

hiavd

TCP

outbound

High Availability Windows Witness

514

syslog

TCP/UDP

outbound

Logging

623

RMCP

TCP/UDP

inbound

HA Power/IPMI access

2049

NFS/portmap

TCP/UDP

inbound

NFS client access

2379,2380

confd

TCP

inbound

Configuration database

3205, 3260

iSCSI

TCP

inbound

iSCSI client/initiator access

4045

NFS/lockmgr

TCP/UDP

inbound

NFS client access

4746

hiavd

TCP

bidirectional

High Availability (between HA nodes)

5696, 8445

KMIP

TCP

outbound

Access to key management server

5697

keymgrd

TCP

bidirectional

Key replication/sync

5699

bsrlicensed

TCP

bidirectional

HA license check

8000

hubd

TCP

inbound

Allows external appliances to connect to hub local (TLS)

8086, 8088

influxdb

TCP

inbound

Used for BrickStor SP Manager (charts)

8123

hubd

TCP

inbound

Web access to hub local admin interface (HTTPS)

80, 443, 8443

bsrapid

TCP

inbound

Used for BrickStor SP Manager (http/https)
ICMP echo (Ping) is required between all HA nodes, including the Witness.
Port 4746 for hiavd relates to the first instance of hiavd. The N(th) instance of hiavd will use port 4745+N, and so on. For example, the second instance of hiavd on the same witness host will listen on port 4747. In that case, inbound TCP port 4747 will need be allowed on the witness host’s firewall. The same logic is used for confd.
Enable IPV4 ICMP echo ensuring all nodes in cluster can ping each other.